Targeted Attack Protection: A Review of Endgame’s Endgame...Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform. Testing Overview (CONTINUED) SANS ANALYST PROGRAM 3 Targeted Attack

  • View

  • Download

Embed Size (px)


  • 2017 SANS Institute

    A SANS Product ReviewWritten by Dave Shackleford

    October 2017

    Sponsored by Endgame

    Targeted Attack Protection: A Review of Endgames Endpoint Security Platform

  • The threat landscape continues to get progressively worse. More sophisticated attacks are being spotted in the wild, and security teams are scrambling to keep up. We face many new types of issuesadvanced phishing attacks are proving all too successful, and ransomware has become a common form of malware that many seem helpless to prevent. In addition, we have many endpoints to protect, and attackers are savvy about targeting end users. Even worse, many advanced attacks dont involve malware; instead they use legitimate operating system tools, operate in memory and move laterally to accomplish their objectives and defeat traditional security programs.

    In the SANS Next-gen Endpoint Risks and Protections survey1 from 2017, 53 percent of respondents indicated that at least one of their endpoints had been compromised in the previous 24 months, primarily through browser exploits and social engineering. More than one-quarter (27 percent) of those who experienced a compromise noted that they discovered it via third-party notification, which suggests that many endpoint security tools and tactics in use today are inadequate. We really need better prevention and detection tools right now.

    Yesterdays signature-based detection tools are failing us more frequently because they are built upon reactive intelligence. Traditional antivirus signatures are proving less effective than they once were, as more advanced attackers are capable of morphing their code and indicators of compromise to evade signature-based methods. Additionally, many security teams have focused too narrowly on malware without looking enough at the vast variety of newer, more advanced methods attackers are using.

    Many attacks dont leverage any malware to compromise the enterprise network and move laterally from host to host. Some attacks use legitimate tools such as PowerShell to avoid detection by endpoint security platforms. Another problem is that many endpoint tools are fairly heavy-handed on system resources.

    SANS reviewed Endgames endpoint protection product, a lightweight agent that offers prevention, detection and response, and threat hunting capabilities to rapidly stop targeted attacks before damage and loss occur. One of the primary goals of the platform is to help overcome todays security skills gap, which many SANS surveys show is the top inhibitor to achieving respondents security and risk management goals.

    With its emphasis on ease of use, coverage of attacker tactics and techniques, rapid event triage and highly capable hunting methods, Endgame is a product with which SOC teams can hit the ground running.

    SANS ANALYST PROGRAMTargeted Attack Protection: A Review of Endgames Endpoint Security Platform1


    1 Next-Gen Endpoint Risks and Protections: A SANS Survey, March 2017,

    Endgame Differentiators

    Pre-execution prevention, accelerated detection and automated hunting across the breadth and depth of the MITRE ATT&CK Matrix

    Single, lightweight, autonomous agent providing 24/7 protection to online and offline systems

    Artemis, an AI-powered security mentor that elevates Tier 1 analysts and accelerates Tier 3 analysts by leveraging natural-language understanding to automate data analysis, investigation, triage and response at enterprise scale

    Automated threat hunting that leverages tradecraft analytics and outlier analytics to streamline workflows and surface suspicious artifacts across millions of records in minutes

    Automated memory forensics that detects post-injected code anywhere in memory at enterprise scale in minutes


    detection is always a

    race against the clock,

    where vendor analysts

    need to develop

    signatures fast and

    push them out to

    customers before they

    fall victim.

  • Testing Overview


    For this review, Endgame hosted a platform-in-the-cloud infrastructure. We used the Version 2.4.1 environment, which includes the autonomous agents and the software management platform. Because we chose the Endgame hosted delivery model, we did not need to install the main Endgame platform. Endgame offers the platform in an on-premises model or in a cloud-hosted environment. Installation seems relatively painless, and the documentation provided by Endgame for installation and Quick Start is thorough and detailed.

    The review environment included a primary connection to the Endgame platform, as well as Remote Desk Protocol (RDP) connections available via jump hosts to the Windows sensors. A plethora of malware and other malicious code was available in the environment for testing, which SANS made liberal use of during the course of the review.


    We first logged into the Endgame console and explored the main dashboard. It showed us a breakdown of current alerts in the environment, endpoint agent status, and endpoint OS types. In addition, other panes in the dashboard showed the breakdown of the top priority alerts, which could help analysts in prioritizing their day. The console dashboard is shown in Figure 1.

    Figure 1. Enterprise Console Dashboard

    Targeted Attack Protection: A Review of Endgames Endpoint Security Platform

    Figure 1. Enterprise Console Dashboard

  • Testing Overview (CONTINUED)

    SANS ANALYST PROGRAM3 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform

    We explored the Endpoints dashboard next. Within this view, all deployed endpoint agents can be viewed, configured and assessed. The Endpoints dashboard is shown in Figure 2.

    Figure 2. Endpoints Dashboard

    The Endpoints dashboard was simple to use. Endpoints can be discovered with Endgames built-in network scanner, looking for systems within the environment. Endpoints that do not have Endgame agents are flagged as Unmanaged and can then have sensors deployed to them directly through the console, per policy.

    Configure Endpoints

    Analysts can configure the endpoints with a protection policy by selecting those they want to configure or modify, then choosing Misc Actions and finally Configure. The configuration window then opens, and various protection, detection, alerting and response configurations for the chosen agent(s) can be implemented in real time. These will each be covered in the respective sections discussing the capabilities of the product.

    Figure 2. Endpoints Dashboard

  • Testing Overview (CONTINUED)

    SANS ANALYST PROGRAM4 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform

    Investigate and Hunt

    This dashboard also allows analysts to initiate investigations by choosing assets and then clicking Create Investigation. In the pane that appears, they can name the investigation, assign a profile or create a new one, assign analysts to the investigation and add hunts to the investigation to gather and include evidence (covered later). The Investigation pane is shown in Figure 3.

    Figure 3. Initiating an Investigation

    The Alerts dashboard presents a list of the current and most recent alerts noted by the system. These can be selected to drill into and triage each alert, and alerts can also be selected to assign to particular users, facilitating team-based analysis, triage and incident response. The Alerts dashboard is shown in Figure 4 on the next page.

  • Testing Overview (CONTINUED)

    SANS ANALYST PROGRAM5 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform

    Figure 4. Alerts Dashboard

    The Investigations dashboard is the central location that aggregates investigations in progress (once initiated). Analysts can update and finalize (archive) their investigations from this pane.


    The final area of the console that we explored was the Administration pane. The Administration console provides the following capabilities:

    User managementCreate, delete and manage users and their assigned roles (levels 1-3, as well as admin)

    Sensor managementCreate and manage sensor profiles (version, protections in place and specific configuration of deployment attributes)

    Alert managementTransfer alerts to central event aggregation tools if needed

    Whitelist managementWhitelist alerts to prevent event overload when false positives or low-severity issues are detected

    Platform managementEnable multi-client activation, which provides customers a single dashboard to view the health and status of the endpoints; this is beneficial to customers who have more than 50,000 endpoints or have endpoints in various geographies

    Creating a new sensor profile was simple. In the Sensor Management pane of the Administration console, an admin can click Create New Sensor Profile, name the profile and point to a transceiver (the platform it will connect back to). Then the admin selects the binary for the preferred Endgame sensor version, and thats it. Once the new sensor profile is created, the admin can configure the default protection controls in place for the sensors. These are covered in more detail in the upcoming sections.

    Figure 4. Alerts Dashboard

  • Endgame Prevention, Detection and Response, and Threat Hunting

    SANS ANALYST PROGRAM6 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform

    Today, an attackers goals are data access and exfiltration. Sophisticated attackers often use advanced nation-state techniqu